Data Protection Policy
1. Data Protection Policy
The KaDeWe Group GmbH, as Controller within the meaning of Art. 4 No. 7 GDPR, is happy that you are taking the time to visit the website https://www.alsterhaus.de/en/ (hereinafter referred to as the “Website”). In the following, we would like to inform you as transparently as possible about the type, scope and purpose of data capture and use. Should you believe that we have not done this sufficiently, you can find the contact details of our Data Protection Officer at the end of this Data Protection Policy.The Controller within the meaning of Art. 4 No. 7 GDPR is:
The KaDeWe Group GmbH
The persons authorised to represent the company are the Managing Directors André Maeder, Sean Hill and Dr. Michael Peterseim. The registered office and court of registration is Essen. The KaDeWe Group GmbH has its company address at the above address.
1.1 Explanations on data protection
Generally, data protection applies to all information which relates to an identified or identifiable person and this information can be allocated directly or indirectly (so-called personal data). In particular, this concerns information like name, address, date of birth etc. or combinations of these.
Information which can be allocated to a natural person through an identifier (e.g. number, IP address, or similar) also falls under the data protection requirements.
If, however, the information is amended so that it is not possible to allocate it directly or indirectly to a natural person, then this is considered anonymised information. Such data (e.g. collected (aggregated) data sets or abbreviated IP addresses) do not fall under the rules on data protection.
With the following explanations, we would like to inform you about the processing of personal information relevant to this website. The term processing comprises the complete process of capture, to storage, editing and/or sending, to erasure of the data.
1.2 Information on data capture
1.2.1 Informational use of our website
In the case of purely informational use of the website, so if you do not register or otherwise send us information, we only capture the personal data which your browser transmits to our servers. If you would like to view our website, we capture the following data, which for us are technically required in order to display our website to you and to guarantee stability and security (legal basis for this is Art. 6 (1) Sentence 1 (f) GDPR):
– IP address
– Date and time of the request
– Time zone difference to Greenwich Mean Time (GMT)
– Content of the request (specific site)
– Access status/ HTTP status code.
– Http referrer, if set
– particular data volume transferred
– website from which the request comes
– operating system and its interfaces
– language and version of the browser software
– visitor’s request [HTTP request method used (e.g. GET), file requested and version of the HTTP protocol used]
– size of the server response in bytes
– if the site is password protected, the username used.
These data will be erased after 14 days.
1.2.2 Storage of cookies
|Name||Scope of Application
|_unam||www.alsterhaus.de||2 years||Cookie for data traffic analysis by Google Analytics|
|_icl_current_language||www.alsterhaus.de||1 day||This cookie stores a language value for this website|
|wpml_referer_url||www.alsterhaus.de||10 minutes||This cookie stores a language value for this website|
|_ga||www.alsterhaus.de||2 years||This cookie serves to differentiate users via Google Analytics|
|_gid||www.alsterhaus.de||2 days||This cookie serves web statistics|
|_gat||www.alsterhaus.de||2 years||This cookie serves to reduce the request rate by Google|
(2) The IP address transmitted by your browser within the scope of Google Analytics is not merged with other data from Google.
(3) You can prevent cookies from being stored by setting up your browser software accordingly; we point out, however that in this case you may not be able to use all functions of this website in full. In addition, you can prevent the data generated by the cookie and which relates to your use of the website (incl. your IP address) from being captured by Google, as well as the processing of such data by Google, by clicking the button below, or by downloading and installing the browser plug-in available at the following link: (http://tools.google.com/dlpage/gaoptout?hl=de).
(4) This website uses Google Analytics with the extension “_anonymizeIp()”. In this way, IP addresses will be further processed in truncated form, and in this way any direct reference to persons can be excluded. Insofar as the data captured about you has a personal element to it, this will be excluded immediately and the personal data will be erased immediately.
(5) We use Google Analytics in order to be able to analyse the use of our website and regularly improve it. Using the statistics acquired, we can improve our offer and design it in a more interesting way for you as user. The legal basis for the use of Google Analytics is Art. 6 (1) Sentence 1 (f) GDPR because we have a legitimate interest in the analysis of user behaviour in order to optimise both our web offer as well as our marketing and to be able to offer you an appropriate offer. For exceptional cases where personal data are transferred to the USA, Google is subjected to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
1.2.4 Video services
(1) We have integrated Vimeo videos into our online offer, which are stored at https://www.vimeo.com and which can be played directly from our website.
(2) By visiting the website, Vimeo receives the information that you have requested the corresponding sub-page of our website. The following will also be recorded: the IP address, date and time of the request; the time zone difference with Greenwich Mean Time; the content of the request (specific site); the access status/ HTTP status code; the particular data volume transferred; the website from which the request comes; the browser; the operating system and its interfaces and the language and version of the browser software. This takes place irrespective of whether Vimeo provides a user account which you are logged into, or whether a user account exists. If you don’t want to be assigned to Vimeo with your profile, you must log out before activating the button.
(4) Vimeo is used in the interests of providing an attractive presentation of our online offer. This represents a legitimate interest within the meaning of Art 6 (1) Sentence 1 (f) GDPR.
1.2.5 Map services
(1) We use the offer of Google Maps on this website. In this way, we can display interactive maps to you directly on the website and allow you to easily use the maps function.
(2) By visiting the website, Google receives the information that you have requested the corresponding sub-page of our website. The following will also be recorded: the IP address, date and time of the request; the time zone difference with Greenwich Mean Time; the content of the request (specific site); the access status/ HTTP status code; the particular data volume transferred; the website from which the request comes; the browser; the operating system and its interfaces and the language and version of the browser software. This takes place irrespective of whether Google provides a user account which you are logged into, or whether a user account exists. If you are logged in to Google, this data is assigned directly to your account. If you don’t want to be assigned to Google with your profile, you must log out before activating the button. Google stores your data as a usage profile and uses it for the purposes of advertising, market research and/or needs-based design of its website. Such an analysis is carried out in particular (even for users not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have a right to object to the creation of this user profile, and if you wish to exercise this right it must be addressed to Google.
Google also processes your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
(4) Google Maps is used in the interests of an attractive presentation of our online offer and to make it easy to find the locations provided by us on the website. This represents a legitimate interest within the meaning of Art 6 (1) Sentence 1 (f) GDPR.
1.2.6 External Captcha
We use the program Google reCaptcha from Google Inc. It serves to differentiate between natural persons and a machine and automated processing. It is necessary for us to make this differentiation in order to exclude improper use of the content through automated processing. The legal basis for this is Art. 6 (1) Sentence 1 (f) GDPR. We have a legitimate interest to ensure the security of our website and to protect ourselves from automated input (attacks).
Data will be sent to Google if the visitor to the site uses reCaptcha. This concerns the IP address, date and time of the request; the time zone difference with Greenwich Mean Time; the content of the request (specific site); the access status/ HTTP status code; the particular data volume transferred; the website from which the request comes; the browser; the operating system and its interfaces and the language and version of the browser software.
Your IP address will be truncated by Google within the Member States of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a server of Google in the USA, and truncated there. Google will use this information on behalf of the operator of this website to analyse your use of this service. The IP address transmitted by your browser within the scope of reCaptcha is not merged with other data from Google. Google also processes your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
1.2.7 Integration of social media plug-ins
We use so-called “social media plug-ins” on our website. These are currently the plug-ins from the services Facebook, Tumblr and Twitter (hereinafter collectively referred to as “social networks”). Via the plug-ins, we offer you the option to interact with the social networks and other users, so that we can improve our offer and make it more interesting for you as user. The legal basis for the use of plug-ins is Art. 6 (1) Sentence 1 (f) GDPR Through these plug-ins, personal data can be sent to the US providers of these social networks (hereinafter referred to as “service providers”) and, if necessary, used by them.
Social plug-ins usually mean that every visitor to a page is immediately captured by the service provider together with the visitor’s IP address, and the visitor’s other activities are logged on the Internet. This happens even if the visitor does not click on one of the buttons.
To prevent this, we use the tool “Shariff”, which was developed by the computer magazine c’t and heise online (Heise Medien GmbH & Co. KG). This tool ensures that no contact is established between the service providers and the visitor until the visitor clicks on a Share button. If the user is already logged on to a social network, the information is shared on Facebook without another window opening. With Twitter and Tumblr, a pop-up window appears in which you can still edit the text of the tweet or the post.
Once you have clicked on the corresponding social plug-in, the service providers will get the information that you have accessed the corresponding sub-site of our online offer. You don’t need to have an account with this service provider for this, or be logged in to it. If you are logged in to the service provider, this data is assigned directly to your account. If you click on one of the social plug-ins and link the page, for example, the service provider also saves this information in your user account and publicly informs your contacts of this.
We have no influence on either the data captured and data processing procedures, nor do we know the full extent of the data capture, the purposes of the processing or the storage periods. We also have no information about the erasure of the data captured by the plug-in provider.
In addition to the plug-ins, you can find links to our profiles on Facebook and Instagram at the bottom of our page. If you click on these links, a new window will open with the website of the particular service provider. You can find information about how these providers process your personal data at:
1.2.8 Integration of advertising / Themed contents
DoubleClick by Google and Google AdWords
(2) When a website is requested, on which the marketing tool is used, your browser automatically establishes a direct connection with the Google servers. We have no influence on the scope and the further use of the data which are captured by the use of these tools by Google and therefore inform you about our state of knowledge: By integrating the marketing tools used, Google receives the information that you requested the corresponding part of our internet presence or clicked on an ad by us on other websites. Insofar as you are registered with a service from Google, Google can allocate the visit to your account. Even if you are not registered with Google or are not logged in, there is the possibility that Google learns about and stores your IP address; date and time of the request; the time zone difference with Greenwich Mean Time; the content of the request (specific site); the access status/ HTTP status code; the particular data volume transferred; the website from which the request comes; the browser; the operating system and its interfaces and the language and version of the browser software.
(3) You can prevent participation in this tracking procedure in different ways:
a) with a corresponding configuration of your browser software, in particular rejecting third party cookies will mean that you will not receive any ads from third party providers;
b) by deactivating cookies for conversion tracking by configuring your browser in such a way that cookies are blocked by the domain “www.googleadservices.com”, https://www.google.de/settings/ads, whereby this setting will be erased if you erase your cookies;
c) by deactivating interest-related ads by the provider, which are part of the self-regulating campaign “About Ads” using the link http://www.aboutads.info/choices, whereby this setting will be erased if you erase your cookies;
d) by permanent deactivation in your browsers Firefox, Internet Explorer or Google Chrome using the link http://www.google.com/settings/ads/plugin. We point out that in this case you might not be able to use all functions of this offer in full.
(4) The legal basis for the processing of your data is Art. 6 (1) Sentence 1 (f) GDPR By using the marketing tools used, we want to ensure that you are only shown advertising which is oriented towards your actual or presumed interests.
(5) You can find more information on DoubleClick by Google and Google AdWords at https://www.google.de/doubleclick and https://adwords.google.com/intl/de_de/home/, as well as data protection at Google generally: https://www.google.de/intl/de/policies/privacy. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at http://www.networkadvertising.org. Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
1.3 Contact form
If you contact us by email or using a contact form, the data sent by you (in particular: your email address and your name as well as the personal data which you might send to us in your message) will be stored by us in order to answer your questions. The legal basis for the processing of the data is Art. 6 (1) Sentence 1 (b) GDPR if the purpose of your contacting us is in connection with the execution of pre-contractual measures or fulfilment of a contractual relationship existing between us. In other cases, the legal basis is Art. 6 (1) Sentence 1 (f) GDPR. We have a legitimate interest in processing your data in order to be able to respond to your requests, and so to make our customer service even more convenient. We erase the data accrued in this connection after it is no longer necessary to store it. This is generally the case if your concerns have been conclusively dealt with.
(1) With your consent, you can also subscribe to our newsletter, with which we inform you about our current interesting offers. The legal basis is Art. 6 (1) Sentence 1 (a) GDPR.
(2) We use the so-called double-opt-in procedure for registration to our newsletter. That is to say that we will send you an email to the email address provided after you have registered, in which we request confirmation that you wish to be sent the newsletter. If you do not confirm your registration within [7 days] your information will be erased automatically. In addition, we store your IP addresses used and times of registration and confirmation. The purpose of the procedure is to prove your registration and, where applicable, to be able to resolve a possible abuse of your personal data.
(3) The only mandatory information to be sent the newsletter is your email address. The entry of other, separately marked data is voluntary and will be used to be able to address you personally. After your confirmation, we store your email address for the purpose of sending the newsletter.
(4) We use the email service provider Mailjet to send our newsletter. Mailjet is an offer from Mailjet SAS (commercial register Paris 524 536 992), 13-13bis, rue de l’Aubrac, 75012 Paris.
In doing so, the email addresses of our newsletter recipients will be stored on the Mailjet servers in the European Economic Area. Mailjet uses this information to send and analyse the newsletter on our behalf. Furthermore, Mailjet can use these data according to the information available to it to optimise or improve its own services, e.g. for technical optimisation of the sending and presentation of the newsletter or for economic purposes in order to determine which countries the recipients are from. Mailjet does not however use the data of our newsletter recipients to write to them itself or to pass it on to third parties.
Mailjet hosts its services on the Google Cloud, which is certified pursuant to ISO 27001, 27017, 27018 and SSAE16/ISAE 3402 (SOC 2/3). In addition, we have concluded a processing agreement with Mailjet. This is a contract in which Mailjet undertakes to process the data of our users only on our behalf according to our instructions and in particular not to pass on the data to third parties.
You can find more information about the handling of personal data by Mailjet at: www.mailjet.de/sicherheit-datenschutz/
(5) You can withdraw your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can declare the withdrawal by clicking on the link provided in all newsletter emails, https://www.alsterhaus.de/en/contact/, by email to email@example.com or by sending a message to the contact provided in the Legal Notice.
1.5 Customer card account
(1) You can apply for a free customer card on our website. To do so, you must register with us.
With your consent when registering, you voluntarily provide your consent – which is revocable at any time – that The KaDeWe Group GmbH may capture, process and use your personal data such as form of address, name, surname, title, your address (street, number, post code, city and state), your telephone number and email address, as well as the time of the registration, the internal identification number issued automatically by us and your customer number issued automatically as well as your encrypted password in order to set up your user account.
Your data will only be used for marketing purposes if you have granted your express consent to this.
(2) The legal basis for the processing of your data is Art. 6 (1) Sentence 1 (a) GDPR. You have the right to withdraw the aforementioned declaration of consent for the capture, processing and use of your data by simply sending a notification in this regard to The KaDeWe Group GmbH at the address provided below. Your personal data will then be deleted entirely. Please note that deletion of your data may mean that you will no longer be able to use our services that are reserved for registered users.
(3) You can also withdraw your consent only in relation to use for marketing purposes.
We offer you a sub-site on careers on our website. You can find information on how your personal data which we process if you apply to us is handled on the career website, which is operated by our service provider softgarden e-recruiting GmbH.
(1) We offer competitions on our website from time to time. We collect, process and store the personal data required for carrying out these competitions – such as first and last name, email address and physical address.
(3) If you were to deny the use of your data in connection with your participation in competition, you will not be able to continue participating in that competition.
1.8 Customer WiFi inside Alsterhaus
We (The KaDeWe Group GmbH, Katharina-Heinroth-Ufer 1, 10787 Berlin) provide visitors to our store “Alsterhaus” (Jungfernstieg 16-20, 20354 Hamburg) with access to the Internet via a service provider (ituma GmbH, Kleinhülsen 29, 40721 Hilden) in the form of WiFi access (“customer WiFi”) for free use.
For this, we have equipped our store extensively with WiFi access points, which allow WiFi-enabled end devices (in particular tablets and smartphones) access to the Internet. These devices record the MAC address of WiFi enabled end devices of visitors which are within its range, on which the WiFi function is switched on and on which the visitors have established a connection between the end device and the WiFi network. The MAC address (Media Access Control address) is the hardware address of a network adapter (e.g. the WiFi adapter in your smartphone) which serves as a clear identifier of the device in a computer network. These data cannot be allocated directly to your person.
In order to manage the WiFi access points, we use an offer from Meraki LLC, 500 Terry Francois Blvd, San Francisco, CA 94158. We have concluded a processing agreement with Meraki LLC. This is a contract in which Meraki LLC undertakes to process the data of our visitors only on our behalf according to our instructions and in particular not to pass on the data to third parties. Insofar as Meraki LLC in exceptional cases also processes personal data outside of the European Economic Area, we have agreed so-called standard contract clauses with Meraki LLC, which ensure that Meraki LLC takes appropriate measures to protect your personal data. In addition, Meraki LLC is certified under the EU-US Privacy Shield.
The MAC addresses shall be stored by Meraki LLC for the purpose of fault analysis and provision of the WiFi network, and erased after 21 days. The KaDeWe Group GmbH is legally responsible for the data processing. The legal basis for the capture and processing of your MAC address is Art. 6 (1) Sentence 1 (f) GDPR. We have a legitimate interest in offering visitors to our store a customer WiFi in order to create an even more pleasant shopping experience for our visitors. This interest outweighs your personality rights because the capture of your MAC address cannot be technically avoided and we only process this if you want further processing.
You can prevent the capture of your MAC address for instance by not establishing any connection to the WiFi network with your end device as well as deactivating the WiFi function of your end device when visiting our store again after already successfully connecting to the WiFi network.
If you actively connect to our customer WiFi and register on our customer WiFi using the logon screen or agree to the terms and conditions of use, we send your MAC address to our service provider so that it can allow you access to the Internet. You can find information about the processing of your personal data by ituma GmbH when using the customer WiFi here: https://datenschutz.ituma.eu/kadewe_ituma.html
The legal basis for the transfer of your MAC address is Art. 6 (1) Sentence 1 (f) GDPR. Our service provider has a legitimate interest in receiving your MAC address so that it can fulfil the contract concluded with you and offer you a secure and permanent functioning and efficient customer WiFi.
1.9 Involvement of service providers
(1) To operate this web offer, we use the services of a service provider specialising in web hosting and are supported by a marketing agency to maintain the sites. We have concluded processing agreements with these companies, which ensure that these service providers guarantee the security and confidentiality of your personal data and only process the data according to our instructions. On request, we will provide you with a detailed overview of the service providers engaged by us.
(2) In order to process orders, under certain circumstances we will also send your personal data to companies commissioned with payment processing and delivery of the goods. These companies may only use your data for the purposes of fulfilling the contract concluded between you and us. There will be no use going beyond this, in particular for marketing purposes. The legal basis for the processing of the data is Art. 6 (1) (b) GDPR as well as Art. 6 (1) (f) GDPR, if we obtain credit checks on your previous payment behaviour. We have a legitimate interest in your previous payment behaviour in order to be able to assess whether we can offer you e.g. a purchase on account.
2. Erasure and blockage of data
We only store personal data for as long as it is necessary to fulfil the purpose for which your personal data were captured or processed.
Safekeeping obligations which obligate us to keep data safe follow for instance from the accounting requirements (Section 257 HGB [German Commercial Code]) and from tax provisions (Section 147 AO [German Tax Code] as well as Section 14b UStG [German VAT Act]). According to these provisions, commercial communications, concluded contracts and accounting receipts must be kept safe for ten years. Insofar as we no longer require these data to execute the services, the data will be blocked. This means that we may only use the data for purposes of invoicing and taxation.
3.Data protection rights and contact details
You generally have the following rights to the functions of our web offer or the purposes of data processing presented there, as explained in the section “Information on data processing”.
3.1 Rights of data subjects
Right of disclosure (Art. 15 GDPR)
We must disclose to you whether and how we process data about your person. In the case of such processing, we must inter alia present for what purposes the processing is carried out, which categories of personal data are processed, to whom data might be sent and for how long the data is stored.
Right to rectification and completion (Art. 16 GDPR)
Should you establish that we process personal data which are not correct or are incomplete, you may of course request rectification.
Right to erasure (Art. 17 GDPR)
If we process personal data inter alia without justification or after the purpose no longer applies, you can request its erasure.
Right to restriction of the processing (Art. 18 GDPR)
You can requestion restriction of the processing for the reasons mentioned in Art. 18 GDPR.
Right to data portability (Art. 20 GDPR)
If we process personal data inter alia without justification or after the purpose no longer applies, you can request its erasure. Furthermore, you have the right to receive from us all information which you have sent to us in a structured, common and machine-readable format.
Right to object (Art. 21 GDPR)
Even if your personal data are processed on the basis of legitimate interests pursuant to Art. 6 (1) Sentence 1 (e) or (f) GDPR, you have the right pursuant to Art. 21 GDPR to object to the processing of your personal data. In this case we will no longer process your personal information, unless there are mandatory reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend against legal claims. In case of an objection against purposes for direct marketing, you have a general right to object, which will be implemented by us without providing particular circumstances.
Right to lodge a complaint (Art. 77 GDPR)
You also have the right to complain to a data protection supervisory authority concerning the processing of your personal data by us (cf. Art. 77 GDPR).In this way you can claim your rights to data protection at any time and without incurring costs as a result. Our data protection officer shall review and respond to every matter individually. If you have any inquiries about data protection, please use our (https://www.alsterhaus.de/en/contact/) or one of the following contact options.
Email to: firstname.lastname@example.org
3.2 Data Protection Officer
Please contact our Data Protection Officer regarding all questions on data protection which concern our website and our service offer or to safeguard your personal rights:
Prof. Dr. Thomas Jäschke
Tel +49 211 93190-798
Fax +49 211 93190-799
3.3 Competent supervisory authority
You can of course also contact the supervisory authority for data protection competent for us at any time, the Berliner Beauftragte für Datenschutz und Informationsfreiheit, An der Urania 4-10, 10787 Berlin. Please find more information and current contact details on the website http://www.datenschutz-berlin.de
Or use the online complaint form email@example.com.
Last updated: 12/07/2018.